LDAP: Difference between revisions
Jump to navigation
Jump to search
m (Add migration note) |
m (Add shell server configuration documentation) |
||
| (3 intermediate revisions by the same user not shown) | |||
| Line 2: | Line 2: | ||
=Backend= | =Backend= | ||
* Server: ldap2.space.revspace.nl | * Server: ldap2.space.revspace.nl | ||
| Line 13: | Line 11: | ||
** Location: /var/lib/ldap/data | ** Location: /var/lib/ldap/data | ||
* ACL: yes | * ACL: yes | ||
=Access= | |||
* From ldap2 itself: <code># shelldap</code> | |||
* From anywhere in the space network: <code>ldap2:636</code> (TLS) | |||
=Layout= | =Layout= | ||
| Line 18: | Line 21: | ||
<pre> | <pre> | ||
dc=space,dc=revspace,dc=nl | dc=space,dc=revspace,dc=nl | ||
`-+- ou=groups # groepen van entiteiten | `-+- ou=groups # groepen van entiteiten (optioneel posixGroup) | ||
| `-+- cn=board # groep van bestuursleden | | `-+- cn=board # groep van bestuursleden | ||
| `- cn= | | `- cn=sudo # groep van sysadmins | ||
+- ou=people # natuurlijke personen | +- ou=people # natuurlijke personen | ||
| `- uid=... | | `- uid=... | ||
| Line 34: | Line 37: | ||
* [[Spacenet|Spacenet RADIUS]] | * [[Spacenet|Spacenet RADIUS]] | ||
* [[Shell-jessie|Shell server]] | * [[Shell-jessie|Shell server]] | ||
=Configuration= | |||
==Shell servers== | |||
The Debian shell servers use [https://wiki.debian.org/LDAP/NSS libnss-ldapd], with a few caveats: | |||
* <code>/etc/nslcd.conf</code> needs to be configured with a service DN and bind password specific to that shell server. | |||
* To get auxiliary groups working (like <code>sudo</code>), <code>ldap</code> needs to be first in the <code>group</code> entry in <code>/etc/nsswitch.conf</code>. | |||
Latest revision as of 23:10, 22 March 2024
The Lightweight Directory Access Protocol (LDAP) is used in RevSpace in most places where authentication is required.
Backend
- Server: ldap2.space.revspace.nl
- IP: 10.42.42.9
- Port: 636 (TLS)
- Software: slapd (openldap)
- Config: /etc/ldap/slapd.conf
- Database: LDIF (for easy recovery/editing)
- Location: /var/lib/ldap/data
- ACL: yes
Access
- From ldap2 itself:
# shelldap - From anywhere in the space network:
ldap2:636(TLS)
Layout
dc=space,dc=revspace,dc=nl `-+- ou=groups # groepen van entiteiten (optioneel posixGroup) | `-+- cn=board # groep van bestuursleden | `- cn=sudo # groep van sysadmins +- ou=people # natuurlijke personen | `- uid=... +- ou=services # niet-natuurlijke personen | `- cn=... `- cn=admin # fallback admin account (emergency, console access, hardcoded in slapd.conf)
Services
Configuration
Shell servers
The Debian shell servers use libnss-ldapd, with a few caveats:
/etc/nslcd.confneeds to be configured with a service DN and bind password specific to that shell server.- To get auxiliary groups working (like
sudo),ldapneeds to be first in thegroupentry in/etc/nsswitch.conf.